TMT 2019

Last Updated June 13, 2019

Italy

Law and Practice

Authors



R&P Legal counts eight partners and 12 associates and assists clients in the television, cinema, internet, technology and music sectors, including major national and international operators. The team advises on specialist contractual issues, regulatory matters, disputes, financing contributions and instruments such as tax credits and product placements, and on relations with the relevant Authorities, Ministries, the SIAE (the Association of Italian Authors and Publishers) and other collecting entities. It also assists clients with respect to tax credits, tax shelters and local incentives in the theatrical production sector, assists major ISPs in relation to copyright infringement issues, assists musical talents in relation to recording, publishing, tour, endorsement and merchandising agreements, assists music publishers in connection with the sale/licensing of their catalogues, drafts technology development and transfer agreements, and assists clients with privacy/data protection matters, among many others. In particular, it is active in drafting privacy impact assessments aimed at making data-processing compliant with the GDPR, and also assists clients with big data management, IoT projects, communications with the competent authorities, the extra-UE transfer of databases and/or their assignment to third parties, OBAs and cookies. The firm also advises on compliance, the strategic implementation of specific IT or web-based projects, e-commerce, innovative services, and advertising and marketing initiatives. The firm is a member of ADLaw International, the International Association for the Protection of Intellectual Property (AIPPI), ITechlaw and the International Trademark Association (INTA).

Cloud computing is mainly regulated under privacy, administrative and cybercrime laws.

Cloud services must be compliant, first of all, with privacy law provisions contained in the European General Data Protection Regulation No 679/2016 (GDPR) and the Legislative Decree No 196/2003 ('Privacy Code'), which set forth the security measures and the other obligations that a data controller must abide by when outsourcing cloud functionalities. In particular, the Privacy Code provides also criminal sanctions, differently from the GDPR, for the most severe cases of violation.

The Code of Digital Administration (Legislative decree No 85/2005, 'CAD'), regulates the creation, reproduction, storage and digital transmission of digital documents.

In the cybercrime sector the most relevant provisions are the Criminal Code, that sets forth the specific criminal offences relating to IT and computer crime; Legislative Decree No 231/2001 on company criminal liability, which provides for sanctions against cybercrimes committed by such entities; and Legislative Decree No 65/2018, which implemented the new EU Directive on the security of Networks and Information Systems.

In addition, Law No 633/1941 ('Copyright Law') includes specific criminal sanctions against those making available to the public protected works, or parts thereof, by introducing them into IT networks.

More specific regulations have been provided with reference to certain industries, such as public administration and banking, for example. In respect of the first, Article 68 of the CAD imposes public administrations to acquire computer programs after conducting a particular market evaluation on cloud providers and other software solutions. Furthermore, Circulars No 2 and 3 of 9 April 2018 issued by the so-called Agency for Digital Italy (AgID) specifically impose further obligations for cloud service providers with regard to data protection, recovery of data, data interoperability and portability. In addition, AgID issued specific guidelines for disaster recovery of public administrations. In the banking industry, Bank of Italy’s (Italian Central Bank) Circular No 263/2006 has introduced strict conditions for outsourcing banks’ functions (eg, cloud functionalities), including: the compliance with a specific internal policy when adopting decisions on outsourcing; the prohibition to delegate the bank’s responsibilities; a clear definition of rights/obligations of banks and providers and the demanded service level (including in emergency cases) within the agreements with external cloud providers; the monitoring of the outsourced functions and the designation of an internal supervisor for each function; the notification to the Bank of Italy of their intention to outsource important functions 60 days prior to the assignment; and the delivery of a report, by 30 April of each year, to the Bank of Italy on the supervision carried out on important operational outsourced functions.

Moreover, under Circular No 285/2013 of the Bank of Italy, agreements with cloud providers must include several warranties for the banks, including the indication of the location of the data centres processing the bank’s data; the implementation of monitoring systems of the operations performed by the provider; and of audit methods appropriate to the outsourced data and to the type of cloud service.

The processing of personal data by means of cloud services may determine some challenges related to the security (loss of data due to the use of Internet and remote applications and to the sharing of data, insider threats, organised crime, etc) and also to the compliance with regulations and standards the organisation is subject to. Moreover, a particular issue arising from use of cloud services is that data can be stored in foreign locations, and may be transferred from one location to another repeatedly or may be located in multiple sites at a time, so that there may be a diminution or a loss of control over data and processing carried out on behalf of the data controller.

The Italian privacy legislation relating to cloud computing derives from the GDPR and there are no other specific national laws on this matter. As the national legislation implementing GDPR is still quite recent, there are no resolutions of the Italian Data Protection Authority issued on this specific practice area.

See 1.1 Laws and Regulations.

See 1.1 Laws and Regulations.

Using distributed ledger technologies (DLT) is one of the biggest challenges when it comes to legal and regulatory matters in Italy. The regulatory and legal framework is, at the moment, extremely uncertain as it does not cover 'blockchain' per se or even DLTs (as happened in Malta in 2018); therefore, the primary aspect to deal with in addressing this matter is what blockchain is going to be used for. The answer to that can help to identify the appropriate legislative and contractual ground to rely on.

A primary distinction would be between projects aimed at giving rise or dealing with 'crypto assets' and projects using DLTs for other purposes.

DLTs can be used to generate 'tokens' of different types. Certain tokens simply represent a pure virtual asset with no rights enforceable against a counterpart, and can be used as a currency (bitcoins are the most famous example). In that case, providers of DLT services should take into account anti-money laundering, currency exchange and tax regulations in the first place.

A second type of token comprises virtual assets that incorporate rights enforceable against one or more parties. For example, such tokens can give rise to a right to immediate or deferred payment and therefore might fall under the definition of 'security' and be subject to financial and security exchange regulations.

A third type of token gives the holder the right to an immediate or future service or asset. In such a case offering coins might fall under traditional civil code provisions on co-ownership, donation, public offering of goods or services, sale of future assets or unilateral undertaking to award goods or service upon certain conditions. Offering such items to the public at large can easily fall under consumer protection rules as well. Risks and liabilities, therefore, need to be assessed on the basis of the actual and specific nature of the intended DLT project.

Intellectual property can be either the bundle of rights arising from the development of a DLT project or the content of the transaction recorded on the blockchain. The architecture of a DLT project can certainly be a proprietary right, while the underlying software used to develop the applications necessary to operate on the blockchain is often open source or however based on public libraries and protocols adopted to secure interoperability, but there are the same time countless applications that are proprietary. Blockchain, however, is an excellent tool to track and record property conveyance, IPRs generation, prior art, authorship and any information and transaction necessary to identify the time and parties material to an intellectual or industrial property right. The timestamp allocated to a bit of information on the blockchain is an effective method to give certainty to a specific right or assignment, and can make blockchain the new environment to protect and exploit IPRs. Applications are multiple in the IP realm and there are already many projects leading the way to this new environment for immaterial assets.

Data protection is one of the biggest challenges and issues when it comes to blockchain as its decentralised nature is often considered the main obstacle to identify a data controller and therefore the epicentre of the GDPR regulatory framework. However, there are certain types of blockchain which are 'private' and subject to a central control which can easily fall under the scope of GDPR. At the same time, businesses that provide services connected to the blockchain environment (wallets, exchanges, trading platforms) are clearly subject to GDPR as they are distinct entities processing data for their own purposes.

Another challenging aspect for service providers is defining accurate, realistic and bearable service levels for the activities they have to perform. Supplying DLT services is often an admixture of pure-blockchain (decentralised and not subject to the control of the provider) and business services. A DLT service provider should carefully assess and identify those aspects that are realistically under his or her control and filter out from the KPIs those items that are entirely dependent on the blockchain, and therefore subject to events independent from the provider. However, this is not the only critical issue on liability, as there is another one of relevant magnitude – this being jurisdiction. Identifying the applicable jurisdiction can be a headache in purely decentralised environments, while the issue becomes easier to handle when considering vertical services located in a specific place. Again, the primary aspect is to identify what DLT service is concerned and what type of blockchain (public, private) is going to be used.

See 2.1 Risk and Liability.

See 2.1 Risk and Liability.

See 2.1 Risk and Liability.

See 2.1 Risk and Liability.

Big data has been one of the most debated issues in recent years and has finally become 'business' after years of discussions about its potential. The legal impact of big data needs to be assessed on the basis of the type of information to be processed and the service underlying the project. Needless to say, most big data projects concern personal data, and if that is the case, then GPDR (as well as Italy’s Privacy Code) is the main instrument to look at. The ability of the provider to pursue its business scope in dealing with personal data depends on his or her degree of GDPR compliance and his or her skills in combining data protection with smart business solutions. When looking at a data set, if the intended purpose is making business out of such data, then we need to rely on a workable legal basis to process such data and, to the extent possible, to get rid of personal identifiable information at the earliest opportunity. Anonymised data sets are out of GDPR scope and managing to create a large anonymised consumer database can be a great business success, provided all necessary requirements were met. Handling personal data in the wrong manner or, even worse, breaching GDPR when building a database can give rise to severe liabilities. Service providers and businesses in general are struggling to find adequate insurance coverage for data breaches and GDPR breaches, as there is still great uncertainty in connection with both sanctions applied by supervisory authorities and the amount of damages that can be claimed by affected data subjects. Any business willing to run a big data project needs to be prepared to bear the regulatory burden the GDPR provides for data controllers, and invest in security to make sure that data subjects are protected from data breaches and avoid computer crimes from being committed. Indeed, when big data concerns personal data, a large number of individuals can be exposed to serious offences that would affect one fundamental individual right – privacy – what makes GDPR a key factor to preserve such rights and maintain effective safeguards against the danger surrounding big data.

The business of big data does not consist exclusively of making such information available against consideration, but also includes building databases that can be protected under copyright and a sui generis right provided for by Italy’s Copyright Law. A database can be considered 'opera dell’ingegno', a copyright work, when it entails original, creative, methods to organise and present information. Such protection is identical to that granted to works of art or literature and can give rise to substantial economic value. The sui generis rights protects the creator of the database from unauthorised use or extraction and, although effective for a much shorter term (15 years), is also a valuable tool to generate value from data.

Data can be assets or commodities, and as such can be exchanged and traded, also cross-border. Such trading is not different from that of other intangible assets and gives rise to the legal issues usually concerned with international commerce. Harmonised EU laws on data protection, IP and commerce are an essential factor to promote cross-border business based on big data and constitute the main legal framework to look at when assessing the relevant aspects of an international big data project.

See 3.1 Big Data.

See 3.1 Big Data.

The concept of the Internet of Things (IoT), as explained by the Working Party Article 29 (WP29) in its opinion 8/2014, refers to an infrastructure in which billions of sensors embedded in common, everyday devices are designed to record, process, store and transfer data and, as they are associated with unique identifiers, interact with other devices or systems using networking capabilities.

Usually the IoT implies the processing of personal data – for example, in order to measure the user’s environment data or to observe and analyse his or her habits – which could result in a high risk to the rights and freedoms of natural persons.

As highlighted by the WP29 this risk is identified especially in situations where, without IoT devices, personal data could not have been interconnected (or it might but only with great difficulty).

Therefore, pursuant to Article 35 of GDPR and following the list of processing operations which require a data protection impact assessment provided by the Italian Data Protection Authority (Resolution No 467/2018), the data controller shall carry out a privacy impact assessment before any new applications are launched in the IoT.

This assessment should enable the data controller to implement the appropriate measures, particularly during the design stage, in order to mitigate the risks identified.

Moreover, every stakeholder in the IoT system should apply the principles of privacy by design and privacy by default pursuant to Article 25 of the GDPR.

This also means that the design of the data processing methods within the IoT infrastructure should minimise the presence of redundant or marginal data and avoid any potential hidden bias and any risk of negative impact on the fundamental rights and freedoms of the data subjects.

Therefore, personal data that is unnecessary for the services offered through the IoT system should not be collected and stored 'just in case' or because 'it might be useful later'.

In any case, when personal data is not necessary to provide a specific service run on the IoT, the data subject should at least be offered the possibility to use the service anonymously.

Moreover, personal data collected and processed in the context of IoT shall be kept for no longer than necessary for the purpose for which the data was collected or further processed. This necessity test must be carried out by each stakeholder in the provision of a specific service on the IoT, as the purposes of their respective processing can in fact be different. For instance, when a user does not use the service or application for a defined period of time, the user profile should be set as inactive. After another period of time the data should be deleted. The user should also be notified before these steps are taken.

The data controllers and the data processors in the IoT context should also note that under Article 32 of the GDPR they shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Therefore, any stakeholder acting as a data controller or a data processor remains fully responsible for the security of the data processing. Consequently, it is necessary for these subjects to perform security assessments of systems as a whole, including at components’ level, applying principles of composable security. In the same line, use of certification for devices as well as the alignment with internationally recognised security standards can be implemented in order to improve and demonstrate the overall security of the ecosystem of the IoT.

Additionally, while devices that are designed to be accessed directly via the Internet are not always configured by the user, security practices based on network restrictions, disabling by default non-critical functionalities, preventing use of un-trusted software update sources (thus limiting malware attacks based on code alteration) should be implemented in order to contribute to limiting the impact and the extent of possible data breaches.

Furthermore, an adequate data breach policy can also help to limit the negative effects of software and design vulnerabilities, by spreading knowledge and providing guidance on those issues.

Finally, the data controllers shall provide the data subjects with an adequate privacy notice under Articles 13 and 14 of the GDPR, which provides clear information on data processing, categories of data collected, purposes of processing, all the subjects involved in the data flow (such as data controller, data protection officer, persons authorised to the processing, data processors and the recipients or categories of recipients of the personal data), data retention period, modalities and means used for the processing, possible personal data transfer to an Extra-EU country and appropriate safeguards used to lawfully allow this transfer, the description of data protection rights and how data subjects can exercise them. Depending on the applications, this privacy notice could be provided, for instance, on the connected item, using the wireless connectivity to broadcast the information, or through a QR code or a flashcode printed on the product.

Local laws are always a challenging issue when it comes to service agreements to be performed in Italy. The magnitude of the impact of local legislation depends on what services are specifically awarded to the service provider. A system integration project involving hardware/wiring work to be performed on site at the premises of the client can trigger burdensome obligations regarding health and safety and employment regulations protecting workers from environmental and workplace hazards and from failure of their employer to pay wages and social security allowances. Such obligations usually involve both the client and the contractor, which are even jointly liable for certain mandatory obligations regarding employment protection.

Applying to become a supplier of a local organisation in Italy often requires a qualification process that includes filing certificates and declarations for compliance, anti-bribery, anti-money laundering and anti-corruption purposes. Responding to a call for tender issued by a public entity also requires specific formal requirements for the submission and entails disclosure of specific documents from the prospect contractor.

When services consist of software development or application design, a crucial aspect is copyright and other IPRs that may arise in connection with the development of computer programs or digital content. Italy’s copyright law requires written evidence of copyright assignment and it is always strongly recommended to draft the IP section of the service agreement accurately to identify the foreground IP  that may be assigned and govern any relevant aspect of the background IP of the parties.

Also in this context, data protection and data security are the most debated issues when it comes to IT services agreement. Service providers contracted to provide storage, hosting, application management, maintenance or even bug fixing might need to access or handle personal information. In such cases, their relationship with the client is almost certainly that of processor-controller under Article 28 of the GDPR and that triggers a number of contractual issues, ranging from security measures the processor is required to implement (and their impact on costs and revenues) to the liability such processor is going to incur when processing data on behalf of the controller. The Italian legal environment is challenging when it comes to processor’s liability, as such liability under GDPR is often mistaken by controllers as an ordinary contractual liability; as a consequence, data processing agreements under Article 28 of the GDPR are often drafted by controllers with open-ended, unlimited, all-round liability and hold-harmless clauses that can turn out to be simply unbearable for many service providers acting as controllers. On the other hand, tech giants operating as processors impose their own DPAs with liabilities capped at very low amounts, which leave controllers with a substantial risk of finding themselves unable to recover satisfactory damages from processors that breach their obligations.

See 5.1 Specific Features.

The main data protection law is the GDPR, which came into direct legal effect in all EU Member States on 25 May 2018, and the Italian Privacy Code, as amended by the Legislative Decree No 101/2018 (enacted to harmonise the local law with the GDPR (hereinafter, 'Data Protection Laws').

Data Protection Laws lay down rules relating to the protection of personal data, their processing and their free movement, as well as to the protection of fundamental rights and freedom of data subjects. They apply only to personal data, not to data regarding legal entities.

According to their material scope, Data Protection Laws apply to the processing of personal data wholly or partly by automated means and to the processing which is part of a filing system or is intended to be part of it. As to the territorial scope, they apply to the processing of personal data in the context of the activities of an establishment of a controller or a processor in Italy, regardless of whether the processing takes place in this country or not, and to the processing of personal data of data subjects who are in Italy by a data controller or a data processor not established there, if the processing activities are related to the offering of goods or services to these data subjects or to the monitoring of their behaviour.

Key data protection principles can be summarised as follows:

  • lawful processing: personal data must be processed lawfully, on the basis of a legal base provided by the GDPR, that, for businesses, are predominantly the consent of the data subject, the fulfilment of a contractual obligation or a pre-contractual action required by the data subject, compliance with legal obligations or a legitimate interest;
  • transparency: personal data must be processed fairly and in a transparent manner, after having served an adequate privacy notice to data subjects;
  • purpose limitation: personal data may be collected only for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes;
  • data minimisation: personal data collected must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
  • accuracy: data must be accurate and, where necessary, kept up to date;
  • retention: data, at least in a form that permits the identification of data subjects, must be stored for no longer than is necessary for the purposes for which this data is processed;
  • security: data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing or against accidental loss, destruction or damage, using appropriate technical or organisational measures;
  • accountability: the data controller shall be responsible for, and be able to demonstrate compliance with, the above key principles in relation to its data processing.

In practice, each data controller shall start a data processing only after having clearly identified the perimeter of the processing activities that it wants to pursue and their compliance with the above key data protection principles.

Moreover, each data controller shall check whether said processing will be protected by adequate organisational and technical security measures.

The data processing, in particular, must be clearly described to data subjects with an adequate privacy notice, that, in a concise, transparent, intelligible and easily form, shall provide information on the data controller and its data protection officer, where applicable, the type of data collected, the purposes of processing, the recipients or categories of recipients of personal data, if any, information on the possible data transfer to an Extra-EU country and the appropriate safeguards used to lawfully allow this transfer, the data retention period, the description of the data protection rights and the modalities under which data subjects can enforce them with the data controller.

Concerning organisational measures, data controllers shall check the internal and external personal data flow in order to give appropriate instructions to all its staff and its providers that process said data, implementing an audit system to assess compliance with said instructions. Where applicable, the data controller shall appoint a data protection officer and shall put in place policies to appropriately manage data processing, such as the following procedures:

  • a data breach policy, setting forth the process to be followed in case of data breach in order to comply with GDPR;
  • a privacy by default and privacy by design policy suitable to ensure that, for any projected data processing, collection, storage and handling of data and the relevant data retention period will comply with the data protection key principles and will be limited to what is necessary for the intended purpose and safeguarded by appropriate technical and organisational measures;
  • a data subject request policy;
  • an IT policy regulating the use of IT and company devices, the use of business e-mail and the Internet at work;
  • a data protection impact assessment procedure, in order to carry out a DPIA where the type of the processing that data controller wants to put in place is likely to result in a high risk to the rights and freedoms of natural person.

Moreover, the data controller and data processor shall implement the record of processing activities, in which they have to register and keep up to date all the relevant information on the categories of data processing.

Finally, in relation to technical security measures, data controllers and data processors, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk for the rights and freedoms of natural persons, shall implement appropriate technical measures to ensure an appropriate level of security, such as pseudonymisation and encryption of personal data, the ability to ensure confidentiality, integrity, availability and resilience of processing, the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident and a process to regularly test and evaluate the effectiveness of these measures in ensuring the security of the processing.

See 6.1 Core Rules Regarding Data Protection.

See 6.1 Core Rules Regarding Data Protection.

See 6.1 Core Rules Regarding Data Protection.

The workplace is a community where it is necessary to ensure that data subjects’ rights, fundamental freedoms and dignity are protected. To that end, employees are entitled to a reasonable protection of their privacy in personal and professional relationships.

The employer is required to provide clear-cut, detailed information on the appropriate use of the equipment that is made available to the employees as well as on whether, to what extent and how inspections are carried out.

Moreover, data subjects have the right to be informed in advance and unambiguously about any processing operations that may concern them in connection with possible inspections.

The purposes of such controls shall be specified by the data controller in its privacy notice pursuant to Article 13 GDPR and may relate to specific organisational, production and/or occupational safety requirements. They may also relate to the submission of, or a defence from, a legal claim.

Generally, in performing inspections on the use of electronic devices, the guidelines applying to the use of e-mails and the Internet in the employment context issued by the Italian Data Protection Authority specify that unwarranted interferences with the fundamental rights and freedoms of employees have to be prevented.

Inspections are only lawful if the relevance and non-excessiveness principles set forth by the law are complied with. Therefore, preference should be given, where feasible, to preliminary inspections on aggregate data related to the whole business and/or specific units.

Additionally, anonymous inspections could result into the issuance of warnings on the non-standard use of the electronic tools made available by the company, whereby all the entities concerned might be called upon to comply strictly with the relevant instructions. Such warnings might be only addressed to the employees working in the department/unit where inappropriate use of company devices was detected. In the event no subsequent unacceptable device use is detected, further inspections focused on individual employees are not admitted in principle.

However, prolonged, continued and/or blanket inspections are, in any case, inadmissible.

With reference to web traffic monitoring aimed at preventing inappropriate use of the Internet (such as browsing for reasons that are not connected to work), the employer is required to take suitable measures in order to prevent ex-post inspections on the employees.

In particular, the employer may take appropriate measures such as specifying the categories of website that are regarded as related/unrelated to work and configuring systems to prevent certain operations from being performed (eg, uploading files, or accessing blacklisted sites and/or downloading certain files or software).

On the private use of company e-mail, the Guidelines suggest to adopt a specific policy in order to avoid that the employee and/or third parties expect certain types of communication to be kept confidential.

In any case, it is appropriate to take measure to prevent processing operations likely to be in breach of the relevance and non-excessiveness principles applied in the Italian jurisdiction in connection with employee inspections and monitoring.

Such measures include the availability of specific user-friendly functions to allow automatic out-of-office reply messages in case an employee is not at work and the implementation of policies aimed at allowing trusted colleagues to access the content of e-mails considered of relevance for the employer in the event an employee is unexpectedly not at work or is going to be on leave for a long period.

The technologies currently falling within the scope of telecommunications rules (pursuant to Article 2 of the Legislative Decree No 259/2003 – the 'Electronic Communications Code' – which constitutes the main regulation of the telecommunications field) are:

  • electronic communications networks and services for public use, such as: phone centres, Internet points, Internet Service Providers’ products, telephone traffic resale, voice-over-IP, fax services, public telephone services, public network supplies, satellite services, networks used for the broadcasting of sound and television programmes and cable television networks;
  • electronic communications activities for private use, such as radio amateurs and low-power equipment to support companies (eg radio stations used for radio taxis, security services, civil protection associations);
  • protection of submarine electronic communications installations;
  • radio-electric services.

Instant messaging is still not included. In fact, to date no specific fulfilments for providing such services are required, since they are just considered as part of mobile applications.

Radio frequencies needed for RFID devices (Radio Frequency Identification) are subject to the regime of 'free use' under Article 105, paragraph 1, letter (o) of the Electronic Communications Code. This was established by the Ministerial Decree of 12.7.2007 of the Ministry of Communications, which stated that said radio frequencies may be freely used (having such RFID devices the technical characteristics set out in EU Decision 2006/804/EC) on a non-interference basis and without the right to protection.

The provision of electronic communications networks and services is subject to a general authorisation from the Ministry of Economic Development – the 'Ministry' – (pursuant to Article 25 of the Electronic Communications Code). To this purpose, operators must submit certain information (concerning, eg, their legal representatives, their offices, the description of the type of network involved, the offered services, apparatus used and their location) by means of the so-called 'certified notification of starting activity', and can exercise the activity from the date of filing said notification.

Within 60 days from the application the Ministry verifies the existence of the prerequisites and, if necessary, can prohibit the further continuation of the activity.

Specific conditions to obtain the general authorisation may be required in relation to certain telecom technologies. For example, a company interested in obtaining/renewing an authorisation for offering telephone services to the public (including resale of telephone traffic, VoIP etc) must submit a certificate of the criminal records of the legal representative or a self-certification and a self-certification of registration with the Chamber of Commerce with anti-mafia clearance.

Each year, by 31 January, administrative fees must be paid for the general authorisations above (pursuant to Annex No 10 of the Electronic Communications Code).

Specifically, for providing public communication networks, an operator is required to pay:

  • for the entire national territory: EUR127,000;
  • for a territory with more than one million and up to ten million persons: EUR64,000;
  • for an area with more than 200,000 and up to one million persons: EUR32,000;
  • for a territory with up to 200,000 inhabitants: EUR17,000;
  • for companies providing their service primarily to end users equal to or less than 50,000: EUR500 per thousand users. The number of users is calculated on the amount of lines activated for each end user.

For providing public telephone services, an operator must pay:

  • for the entire national territory, EUR75,500;
  • for a territory with more than one million and up to ten million people: EUR32,000;
  • for an area with more than 200,000 and up to one million people: EUR12,500;
  • for a territory with up to 200,000 inhabitants: EUR6,400;
  • for companies providing their service primarily to end users equal to or less than 50,000: EUR300 per thousand users. The number of users is calculated on the amount of numbers activated for each end user.

For providing mobile and personal communication services, an operator must pay:

  • for companies that provide their service primarily to end users equal to or less than 50,000: EUR1,500 per thousand users;
  • for companies that provide their service primarily to more than 50,000 end users: EUR75,000.

For providing, even jointly, electronic network or communication services by means of satellite, an operator must pay EUR2,220 for up to ten stations, EUR5,550 for up to 100 stations, EUR11,100 for more than 100 stations.

Companies holding a general authorisation for providing other electronic communications services, not included in the ones above, must pay EUR600 for each location in which the switching devices are installed.

Authorised operators have also to pay an annual contribution to the Telecommunication Authority ('Authority') for being registered in the Italian Communications Operators’ Registry. This contribution is annually determined as a percentage of the net turnover of each operator. In 2018, this was 1.35% (Authority’s Resolution No 426/17/CONS).

The provision of audiovisual services is subject to the obtainment of an authorisation, granted on the basis of a procedure and in presence of certain requirements which vary upon the service, pursuant to Legislative Decree No 177/2005 ('RadioTV Law').

A national Digital Terrestrial Television ('DTT') authorisation can be requested by joint-stock companies or co-operatives having their registered office in Italy or in the European Economic Area (EEA), or by companies having their registered office in third countries which apply a reciprocal treatment to Italian organisations (pursuant to the Authority’s Resolution No 353/11/CONS).

The applicant companies must also have as business purpose, radio television or publishing activity or in any case activity related to information or entertainment and their directors or legal representative must not have received certain criminal convictions or precautionary and/or security measures.

The authorisation is granted by the Ministry, upon the payment of a fee of EUR7,000 (which is lower for European authorisations operating at national or local level, for local or provincial authorisations), within 30 days from the submission of the application, unless the term is postponed for further 30 days for additional verifications. It is valid for 12 years, can be renewed for equal periods and can be assigned to third parties in presence of certain conditions.

A similar procedure must be followed for the provision of radio services pursuant to the Authority’s Resolution No 664/09/CONS, by submitting an application to the Ministry upon the payment of a fee of EUR3,000 for national providers having the same prerequisites.

The provision of associated interactive services or conditional access services on television terrestrial frequencies, including pay per view, is subject to the obtainment of a general authorisation, by submitting to the Ministry, pursuant to Article 25 of the Electronic Communications Code, a declaration (the so-called 'certified notification of starting activity') after which the applicant can start its activity immediately, while the Ministry verifies the possession of the prerequisites within the subsequent 60 days, issuing, where necessary, the order not to continue its activity.

The general authorisations have a validity not exceeding 20 years (their expiry date is on 31 December of the last year of validity) and can be renewed.

A satellite authorisation, granted by the Authority pursuant to the Authority’s Resolution No 127/00/CONS, is subject to the payment of a fee of EUR6,026.96, while the coaxial cable authorisation is granted by the Ministry pursuant to the Authority’s Resolution No 289/01/CONS, upon the payment of a fee of EUR7,000.

Both authorisations can be granted only to joint-stock companies, having their registered office in Italy or in the EEA (or in countries applying a reciprocal treatment as above), whose directors and legal representatives have not been sentenced as for the DTT authorisation, after a procedure that lasts up to 60 days, or 90 in the case of postponement for additional verifications. They are valid for six years and can be renewed.

A different regulation applies to services transmitted through 'other means of electronic communication'; that is, the electronic communications networks other than those via satellite, DTT and coaxial cable (which include mobile networks excluding the transmissions through DVBH, Internet, IPTV, web TV and therefore also video channels online, eg, YouTube), depending on whether they are in 'linear' mode ('streaming' or 'simulcast' services) or in 'non-linear' mode ('downloading' or 'on demand' services).

In the first case, the authorisation for transmitting audiovisual or radio services through 'other means of electronic communication' is granted by the Authority to joint-stock companies or partnerships, co-operatives, foundations, incorporated and unincorporated associations and natural persons having their registered office or residence in Italy or within the EEA, or in a third country on condition that it applies a reciprocal treatment towards Italian citizens. Also in this case, the applicants must have as business purpose the radio television or publishing activity or in any case related to information or entertainment and their directors or legal representative must not have received certain criminal convictions or precautionary and/or security measures (Authority’s Resolution No 606/10/CONS).

Such authorisation, granted upon the payment of a fee of EUR500 (or EUR250 in the case of radio services) has a validity of 12 years, can be renewed for equal periods and can be assigned to third parties in possession of the prerequisites.

In the second case, non-linear audiovisual media services can be provided upon the submission at the Ministry of the 'certified notification of starting activity', while the other prerequisites and conditions are the same as for linear services, including the duration and the fees (Authority’s Resolution No 607/10/CONS).

In both cases, the authorisation for providing the linear or non-linear audiovisual media services through 'other means of electronic communication' must be obtained only when the following conditions are cumulatively met:

  • providers have the editorial liability over the content transmitted in any form exercised;
  • such services are provided with a view to profit and in competition with the television; and
  • they have minimum revenues deriving from advertising, TV sales, sponsorship, contracts and agreements with private and public entities, public funds and/or Pay TV services, equal to EUR100,000.00 per year.

Providers of audiovisual media or radio services on DTT, satellite or coaxial cable can carry out the simultaneous and full re-transmission over the 'other means of electronic communication', at no cost, upon prior notification to the Authority and to the Ministry. Such notification is due also by the providers of linear or non-linear audiovisual media services through 'other means of electronic communication' which broadcast via satellite or coaxial cable.

See 9.1 Main Requirements.

Encryption has been known for decades by the Italian legislator. One of the first regulations which referred to encryption was adopted in 1967 (Decree of the President of the Republic No 18/1967) and is still in force. Such regulation governs the functioning of the Ministry for foreign affairs and reads that offices involved in these matters are equipped with encryption technology which shall be used in order to ensure the secrecy of the communications between the Ministry and the branches located abroad.

Since then, several laws and regulations have been approved but a complete and certain legal framework is still needed. Although one may observe a number of legal provisions recalling encryption, most of them are intended to lead public administrations and other public-related entities to the adoption of IT structures which ensure high levels of safety in data protection and data security. A brief overview of the matters where encryption is used may clarify how it appears in the Italian legal system.

The most important tool, especially for lawyers and professionals, is the so-called 'digital signature' which captures the signatory’s intent to be bound by the terms of the signed document, like its handwritten counterpart in the offline world. Since this tool allows the pairing of a document to the relevant signatory, the technological requirements are set forth specifically by the law. In particular, digital signatures shall be based on a system of public and private cryptographic keys in order to ensure certainty and safety to the digital document. The digital signature is currently used to create and sign documents which have to be filed before both Italian courts and other public bodies, so that professionals, judges and public employees are required to own a personal digital signature and deal with encryption on a daily basis, although they do not need any technical expertise.

Moreover, encryption is used by the public administration in the context of the transmission of data which requires secrecy and safety. For instance, the data gathered on slot machines or the questions submitted during the written examination of the bar exam shall be transmitted using encryption methods and cryptographic keys. Also, the operators on the financial market have to use bilateral authentication and encryption keys in the context of communications with the Bank of Italy. Finally, encryption is used to ensure the anonymity of public employees who are resolved to notify to the Italian Anti-Bribery and Corruption Authority a breach of law noted at work (ie, whistleblowing).

It is self-explanatory that all the above implementations of encryption technologies impose public administrations to adopt specific procedures and are aimed at guaranteeing a high level of safety in gathering and transmitting data and information. However, as to the core of the issue, none of those requires companies to specifically use encryption technology, except for the digital signature (which is a tool based on encryption technology, but is not a direct use of encryption by companies or professionals).

Encryption is indirectly used by companies for communications with public administrations or other private entities. Nevertheless, it seems that the current legal framework lacks provisions which allow the exemption from certain rules where the relevant company enacts the use of encryption technologies.

See 10.1 Legal Requirements Governing the Use of Encryption.

R&P Legal

Piazzale Luigi Cadorna, 4
20123, Milano
Italy

+39 02 87 31 31

+39 02 87 31 33 22

milano@replegal.it www.replegal.it
Author Business Card

Law and Practice

Authors



R&P Legal counts eight partners and 12 associates and assists clients in the television, cinema, internet, technology and music sectors, including major national and international operators. The team advises on specialist contractual issues, regulatory matters, disputes, financing contributions and instruments such as tax credits and product placements, and on relations with the relevant Authorities, Ministries, the SIAE (the Association of Italian Authors and Publishers) and other collecting entities. It also assists clients with respect to tax credits, tax shelters and local incentives in the theatrical production sector, assists major ISPs in relation to copyright infringement issues, assists musical talents in relation to recording, publishing, tour, endorsement and merchandising agreements, assists music publishers in connection with the sale/licensing of their catalogues, drafts technology development and transfer agreements, and assists clients with privacy/data protection matters, among many others. In particular, it is active in drafting privacy impact assessments aimed at making data-processing compliant with the GDPR, and also assists clients with big data management, IoT projects, communications with the competent authorities, the extra-UE transfer of databases and/or their assignment to third parties, OBAs and cookies. The firm also advises on compliance, the strategic implementation of specific IT or web-based projects, e-commerce, innovative services, and advertising and marketing initiatives. The firm is a member of ADLaw International, the International Association for the Protection of Intellectual Property (AIPPI), ITechlaw and the International Trademark Association (INTA).

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.